Checkmarx One vs SonarQube comparison


Comparison Buyer's Guide

Executive SummaryUpdated on Jun 6, 2024

Categories and Ranking

Checkmarx One
Ranking in Application Security Tools
Ranking in Static Application Security Testing (SAST)
Average Rating
Number of Reviews
Ranking in other categories
Vulnerability Management (11th), Static Code Analysis (2nd), API Security (4th), DevSecOps (2nd), Risk-Based Vulnerability Management (5th)
Ranking in Application Security Tools
Ranking in Static Application Security Testing (SAST)
Average Rating
Number of Reviews
Ranking in other categories
Software Development Analytics (1st)

Mindshare comparison

As of June 2024, in the Application Security Tools category, the mindshare of Checkmarx One is 13.2%, down from 15.3% compared to the previous year. The mindshare of SonarQube is 27.7%, down from 28.3% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools
Unique Categories:
Static Application Security Testing (SAST)
Vulnerability Management
Software Development Analytics

Q&A Highlights

Jul 08, 2020

Featured Reviews

Feb 9, 2022
Gives good results, but can be more user-friendly
We use it for code scanning and security testing for our in-house application development. We are using its latest version Apart from software scanning, software composition scanning is valuable. Its user interface could be improved and made more friendly.  When we change a window, the session…
Dec 21, 2023
This solution is simple to use and can be quickly deployed
We use SonarQube to check for vulnerabilities and quality.  The solution has helped us to find flaws in the Syntax and comply with requirements.  I have found the most valuable features to be scanning for bugs or fixing the hotspot. These features have helped to improve the code quality.  I…

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:


"Less false positive errors as compared to any other solution."
"Apart from software scanning, software composition scanning is valuable."
"The user interface is excellent. It's very user friendly."
"The report function is the solution's greatest asset."
"The identification of verification-related security vulnerabilities is really important and one of the key things. It also identifies vulnerabilities for any kind of third-party tool coming into the system or any third-party tools that you are using, which is very useful for avoiding random hacking."
"The tool's valuable features include integrating GPT and Copilot. Additionally, the UI web representation is very user-friendly, making navigation easy. GPT has made several improvements to my security code."
"The most valuable features of Checkmarx are difficult to pinpoint because of the way the functionalities and the features are intertwined, it's difficult to say which part of them I prefer most. You initiate the scan, you have a scan, you have the review set, and reporting, they all work together as one whole process. It's not like accounting software, where you have the different features, et cetera."
"The most valuable feature is the application tracking reporting."
"It is a good deal compared to all other tools on the market."
"If code coverage is a low number then that's of great value to me."
"Any developer can easily identify issues using the process flow or steps provided by SonarQube. In terms of integration, SonarQube makes it quite easy, simplifying the steps for users."
"The static code analysis of the solution is the most important aspect for us. When it comes to security breaches within the code, we can leverage some rules to allow us to identify the repetition in our code and the possible targets that we may have. It makes it very easy to review our code for security purposes."
"The initial setup is simple. It requires some security, but it's simple."
"SonarQube is good for checking and maintaining code quality."
"I like that it helps us maintain our work quality and code security."
"This has improved our organization because it has helped to find Security Vulnerabilities."


"The lack of ability to review compiled source code. It would then be able to compete with other scanning tools, such as Veracode."
"The interactive application security testing, or IAST, the interactive part where you're looking at an application that lives in a runtime environment on a server or virtual machine, needs improvement."
"We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything."
"Its user interface could be improved and made more friendly."
"Checkmarx could improve the speed of the scans."
"Checkmarx could improve the REST APIs by including automation."
"The product's reporting feature could be better. The feature works well for developers, but reports generated to be shared with external parties are poor, it lacks the details one gets when viewing the results directly from the Checkmarx One platform."
"Licensing models and Swift language support are the aspects in which this product needs to improve. Swift is a new language, in which major customers require support for lower prices."
"An improvement is with false positives. Sometimes the tool can say there is an issue in your code but, really, you have to do things in a certain way due to external dependencies, and I think it's very hard to indicate this is the case."
"One thing to improve would be the integration. There is a steep learning curve to get it integrated."
"Although it has Sonar built into it, it is still lacking. Customization features of identifying a particular attack still need to be worked on. To give you an example: if we want to scan and do a false positive analysis, those types of features are missing. If we want to rescan something from a particular point that is a feature that is also missing. It’s in our queue. That will hopefully save a lot of time."
"I would also like SonarQube to be able to write custom scanning rules. More documentation would be helpful as well because some of our guys were struggling with the customization script."
"Our developers have complained about the Quality Gates and the number of false positives that this product reports."
"Lacks sufficient visibility and documentation."
"A better design of the interface and add some new rules."
"In terms of what can be improved, the areas that need more attention in the solution are its architecture and development."

Pricing and Cost Advice

"It is a good product but a little overpriced."
"​Checkmarx is not a cheap scanning tool, but none of the security tools are cheap. Checkmarx is a powerful scanning tool, and it’s essential to have one of these products."
"Its price is fair. It is in or around the right spot. Ultimately, if the price is wrong, customers won't commit, but they do tend to commit. It is neither too cheap nor too expensive."
"We have purchased an annual license to use this solution. The price is reasonable."
"The interface used to create custom rules comes at an additional cost."
"The price of Checkmarx could be reduced to match their competitors, it is expensive."
"Checkmarx is comparatively costlier than other products, which is why some of the customers feel reluctant to go for it, though performance-wise, Checkmarx can compete with other products."
"We have a subscription license that is on a yearly basis, and it's a pretty competitive solution."
"We're using the Community Edition, and we don't pay for anything."
"The free version of SonarQube does everything that we need it to."
"We use the solution free of cost."
"We are using the Community edition of SonarQube."
"It is very expensive. Its price should be improved."
"The price point on SonarQube is good."
"It's a bit expensive for us. The currency rate of the dollar is a problem but it may be fine for other countries."
"This product is open source and very convenient."
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
789,442 professionals have used our research since 2012.

Answers from the Community

Jul 8, 2020
Jul 8, 2020
My opinions are my own and do not represent any other entities that I may be or have been affiliated with. On this topic I think it is important to acknowledge that no matter which solution you go for you will have false positives. I don't think there will be any solution that properly solves this anytime soon. As for Checkmarx vs SonarQube... Checkmarx may cover more rules over a wider land...
2 out of 3 answers
Jul 6, 2020
My opinions are my own and do not represent any other entities that I may be or have been affiliated with.  On this topic I think it is important to acknowledge that no matter which solution you go for you will have false positives. I don't think there will be any solution that properly solves this anytime soon.  As for Checkmarx vs SonarQube...  Checkmarx may cover more rules over a wider landscape, however I personally found this extra breadth covered outlyer rules and mostly lower priority issues. Both Checkmarx and SonarQube cover the OWASP top 10 and Sans25. Both tools can be tuned to help reduce false positives, for both you will need to analyse your tuning to ensure you are not introducing false negatives. Any tools that provide you customisation come with the risk that you could make things worse.  SonarQube has very good integration into most development IDEs empowering the engineers to run scans against the company rules on their local machine before submitting your source control and further tooling. In some it will even check the code automatically while you type it.  I see you also included Veracode in here. In my opinion that is a far superior tool to Checkmarx, this is down to their more modern approach to this problem. They also allow local developer integration to self lint code before submission.  In a perfect world, I would use Sonar for development bugs, test coverage and technical debt measurements. Then veracode to handle the SAST side for me. In short I would not duplicate the security scans in Sonar and Veracode.  Hope that helps
Jul 7, 2020
SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.

Top Industries

By visitors reading reviews
Financial Services Firm
Computer Software Company
Manufacturing Company
Financial Services Firm
Computer Software Company
Manufacturing Company

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business

Questions from the Community

What alternatives are there for Fortify WebInspect and Fortify SCA?
I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as well. Veracode is only a cloud solution. Hope this helps.
What do you like most about Checkmarx?
Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.
What is your experience regarding pricing and costs for Checkmarx?
The solution's price is high and you pay based on the number of users.
Is SonarQube the best tool for static analysis?
I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
How would you decide between Coverity and Sonarqube?
We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...



Also Known As

No data available

Learn More


Interactive Demo

Demo not available



Sample Customers

YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
Find out what your peers are saying about Checkmarx One vs. SonarQube and other solutions. Updated: May 2024.
789,442 professionals have used our research since 2012.